The connected car conundrum

Posted by Jeffrey Kok, Vice President of Solution Engineer, Asia Pacific and Japan, CyberArk, 27-06-2018

Our cars have long been an extension of us. And, as we have become more digitally connected, so have our vehicles. Features such as navigation and multimedia streaming are increasingly being offered as standard, propelling the global connected car market to more than $219 billion by 20251.

In Singapore, it is estimated that the connected car penetration is expected to hit 46.2% in 2022 and the revenue in the "Connected Car" market came to US$66m just last year2. This complimented by the fact that consumers in Singapore are seen as the most “connected” in the world3, it comes with no surprise that cybersecurity plays a crucial role in protecting our assets.

The advancement of technology helps make our lives more convenient, however there can be gaps in which hackers can exploit such as your connected car.

If it’s connected it CAN be hacked

It used to be that the biggest risk was your physical car keys being stolen. But with technology progressing fast, your digital keys are likely to be even more sought after by criminals.

Let’s assume that the car manufacturer has a central server that’s getting feeds from all its vehicles, for example with data on your location. This data may be stored on the manufacturer’s premises, or it may be stored in the cloud. Either way, your car will have to authenticate in some way to connect to this central system, creating a new trust issue.

How does the manufacturer trust, if your car is talking to its central system, that it is that car? Or how do you trust, if the central system is talking to your car, that it is the central system?

Hackers will be trying to compromise that connectivity, and to do this they need two things. First, a route to connect into the system, for example an open WiFi. This has been a known technique since 2015 when hackers remotely compromised a Jeep Cherokee and paralysed it on the road.

Second, they will need a credential or permission to get in. These are your digital keys. What this means is if your car is open to connections or communications from an open source. If there’s a weak password, then attackers have got the credentials to gain access to your vehicle.

The driverless threat

The big question is, if that connection is compromised, what could an attacker do? Inevitably, the threat will become greater as technology advances, and when driverless cars hit the road in 2021.

This will take the capabilities of our connected cars to a whole new level and the biggest danger is that a vehicle will be taken over.

There is a huge amount of work happening right now, across the industry, to ensure that cybersecurity is fully integrated as part of the driverless vehicle development process. However, if someone did compromise that connection they could start to impersonate communications and send bogus commands to the car. Or vice versa – they could tell the central system that the car is over here when it’s somewhere entirely different and force a crash.

How attackers watch and learn

Indeed, attackers won’t automatically know how to configure or administrate driverless cars. However, we don’t need to look far for examples of where attackers have lurked inside the infrastructure until they had the knowledge to take control and cause considerable damage.

With the Swift Bangladesh Central Bank heist and the Ukranian power network hack, attackers got into the critical assets, and they watched and learnt until they knew how to make a transaction or turn off the power. We can expect to see a similar approach being attempted to compromise driverless cars, with attackers holding the keys for a long time before they take the wheel.

Of course, full control of the vehicle is not the only motivation for cybercriminals. We may also see attempts to track the journeys of high profile targets. Attackers could silently collect travel data, while also using advanced social engineering techniques, to build a comprehensive picture of the person’s habits and whereabouts. This could potentially lead to a new type of online blackmail.

As car connectivity continues to increase, there are even more digital identities to manage, secure and, ultimately, trust.  The onus is on the manufacturers to keep customer data secure and ensure personal safety, and that all starts with protecting these trusts and any respective credentials.